[fix] Fix serializers vpn cleanup, add Wireguard IP test, update changelog openwisp#1221

mn-ram · mn-ram · commit 4c35d824ceba · 2026-03-25T23:30:24.000+05:30
- Fix serializers.py: vpn_list was built from old templates so .exclude(vpn__in=vpn_list) never matched the client being removed. Now uses new_vpn_ids from config_templates so clients for removed VPN templates are correctly deleted (including PATCH with empty list). - Add test_wireguard_vpnclient_ip_released_on_template_removal to verify that Wireguard VPN client IP addresses are released on template removal. - Expand API test to cover both "replace with generic" and "empty list" PATCH scenarios. - Add CHANGES.rst entry under Version 1.3.0 [unreleased]. Related to openwisp#1221 Co-Authored-By: mn-ram <mn-ram@users.noreply.github.com>
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -4,7 +4,14 @@ Changelog
 Version 1.3.0 [unreleased]
 --------------------------
 
-Work in progress.
+Bugfixes
+~~~~~~~~
+
+- Fixed VPN peer cache desync when VPN template is removed from a device:
+  ``VpnClient`` objects are now deleted via per-instance ``delete()`` so that
+  ``post_delete`` signals fire, ensuring peer cache invalidation, certificate
+  revocation, and IP address release `#1221
+  <https://github.com/openwisp/openwisp-controller/issues/1221>`_
 
 Version 1.2.2 [2026-03-06]
 --------------------------
diff --git a/openwisp_controller/config/api/serializers.py b/openwisp_controller/config/api/serializers.py
@@ -200,14 +200,15 @@ def _update_config(self, device, config_data):
             old_templates = list(config.templates.values_list("id", flat=True))
             if config_templates != old_templates:
                 with transaction.atomic():
-                    vpn_list = config.templates.filter(type="vpn").values_list("vpn")
-                    if vpn_list:
-                        for vpnclient in (
-                            config.vpnclient_set.select_related("vpn", "cert", "ip")
-                            .exclude(vpn__in=vpn_list)
-                            .iterator()
-                        ):
-                            vpnclient.delete()
+                    new_vpn_ids = Template.objects.filter(
+                        pk__in=config_templates, type="vpn"
+                    ).values_list("vpn", flat=True)
+                    for vpnclient in (
+                        config.vpnclient_set.select_related("vpn", "cert", "ip")
+                        .exclude(vpn__in=new_vpn_ids)
+                        .iterator()
+                    ):
+                        vpnclient.delete()
                     config.templates.set(config_templates, clear=True)
             config.save()
         except ValidationError as error:
diff --git a/openwisp_controller/config/tests/test_api.py b/openwisp_controller/config/tests/test_api.py
@@ -520,9 +520,9 @@ def test_device_patch_with_templates_of_different_org(self):
         )
 
     def test_device_patch_vpn_template_removal_triggers_post_delete(self):
-        """Regression test for #1221: replacing a VPN template with a generic
-        one via PATCH API must trigger VpnClient.post_delete so peer cache is
-        invalidated and the certificate is revoked."""
+        """Regression test for #1221: removing VPN template via PATCH API must
+        trigger VpnClient.post_delete so peer cache is invalidated and the
+        certificate is revoked. Tests both empty and non-empty replacement."""
         org = self._get_org()
         vpn = self._create_vpn(organization=org)
         t_vpn = self._create_template(
@@ -531,20 +531,33 @@ def test_device_patch_vpn_template_removal_triggers_post_delete(self):
         t_generic = self._create_template(name="generic-test", organization=org)
         device = self._create_device(organization=org)
         config = self._create_config(device=device)
-        config.templates.add(t_vpn)
-        vpnclient = config.vpnclient_set.first()
-        self.assertIsNotNone(vpnclient)
-        cert_pk = vpnclient.cert.pk
-
         path = reverse("config_api:device_detail", args=[device.pk])
-        # PATCH replacing VPN template with a generic template
-        data = {"config": {"templates": [str(t_generic.pk)]}}
-        with patch.object(Vpn, "_invalidate_peer_cache") as mock_invalidate:
-            response = self.client.patch(path, data, content_type="application/json")
-            mock_invalidate.assert_called_once()
-        self.assertEqual(response.status_code, 200)
-        self.assertFalse(VpnClient.objects.filter(pk=vpnclient.pk).exists())
-        self.assertTrue(Cert.objects.get(pk=cert_pk).revoked)
+
+        with self.subTest("replace VPN template with generic template"):
+            config.templates.set([t_vpn])
+            vpnclient = config.vpnclient_set.first()
+            self.assertIsNotNone(vpnclient)
+            cert_pk = vpnclient.cert.pk
+            data = {"config": {"templates": [str(t_generic.pk)]}}
+            with patch.object(Vpn, "_invalidate_peer_cache") as mock_invalidate:
+                response = self.client.patch(path, data, content_type="application/json")
+                mock_invalidate.assert_called_once()
+            self.assertEqual(response.status_code, 200)
+            self.assertFalse(VpnClient.objects.filter(pk=vpnclient.pk).exists())
+            self.assertTrue(Cert.objects.get(pk=cert_pk).revoked)
+
+        with self.subTest("remove all templates (empty list)"):
+            config.templates.set([t_vpn])
+            vpnclient = config.vpnclient_set.first()
+            self.assertIsNotNone(vpnclient)
+            cert_pk = vpnclient.cert.pk
+            data = {"config": {"templates": []}}
+            with patch.object(Vpn, "_invalidate_peer_cache") as mock_invalidate:
+                response = self.client.patch(path, data, content_type="application/json")
+                mock_invalidate.assert_called_once()
+            self.assertEqual(response.status_code, 200)
+            self.assertFalse(VpnClient.objects.filter(pk=vpnclient.pk).exists())
+            self.assertTrue(Cert.objects.get(pk=cert_pk).revoked)
 
     def test_device_change_organization_required_templates(self):
         org1 = self._create_org(name="org1")
diff --git a/openwisp_controller/config/tests/test_vpn.py b/openwisp_controller/config/tests/test_vpn.py
@@ -767,6 +767,18 @@ def test_trigger_vpn_server_endpoint_invalid_vpn_id(self):
                 f"VPN Server UUID: {vpn_id} does not exist."
             )
 
+    def test_wireguard_vpnclient_ip_released_on_template_removal(self):
+        """Regression test for #1221: when a Wireguard VPN template is removed,
+        the allocated IP address must be released (deleted)."""
+        device, vpn, template = self._create_wireguard_vpn_template()
+        vpnclient = device.config.vpnclient_set.first()
+        self.assertIsNotNone(vpnclient)
+        self.assertIsNotNone(vpnclient.ip)
+        ip_pk = vpnclient.ip.pk
+        device.config.templates.remove(template)
+        self.assertFalse(VpnClient.objects.filter(pk=vpnclient.pk).exists())
+        self.assertFalse(IpAddress.objects.filter(pk=ip_pk).exists())
+
 
 class TestWireguardTransaction(BaseTestVpn, TestWireguardVpnMixin, TransactionTestCase):
     mock_response = mock.Mock(spec=requests.Response)
